W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Trigger a DOM event/error when a CSP violation happens.

From: John J Barton <johnjbarton@johnjbarton.com>
Date: Fri, 26 Oct 2012 16:12:37 -0700
Message-ID: <CAFAtnWwzDREZ2HfTLdCh_psr9J4XC4QMOLrR+Yt524UL7=H9Kg@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, "Eduardo' Vela" <evn@google.com>, public-webappsec@w3.org
On Fri, Oct 26, 2012 at 3:53 PM, Dan Veditz <dveditz@mozilla.com> wrote:
...
> Such APIs would be out of scope for this WG so I'd just like to state the
> privacy principal that user-agent supplied policies do not report violations
> to the originating server or page content.

Similarly, extension supplied policies should not report. Otherwise
web pages can probe the users installed extensions.

jjb

> I'm not against firing events at
> the page for violations of the page's own policy.
>
> -Dan Veditz
>
Received on Friday, 26 October 2012 23:13:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 26 October 2012 23:13:04 GMT